Threat actors are capitalizing on undisclosed vulnerabilities in select routers and network video recorder (NVR) devices to construct a Mirai-based distributed denial-of-service (DDoS) botnet known as InfectedSlurs.
Zero-day remote code execution vulnerabilities have been uncovered, which can be exploited if default admin credentials provided by device manufacturers remain unchanged—a commonly overlooked security measure.
Researchers from Akamai’s Security Intelligence Response Team (SIRT) detected the botnet through global honeypots, revealing its focus on NVR devices from a specific manufacturer. The SIRT identified an unexpected zero-day exploit actively used in the wild during their investigation.
Further scrutiny revealed another targeted device—an wireless LAN router designed for hotels and residential use—from a different manufacturer. The researchers notified both manufacturers of the vulnerabilities, with patches expected next month. Until then, the manufacturers’ identities remain undisclosed to prevent potential exploitation.
The targeted router, manufactured by a Japanese vendor known for switches and routers, had a confirmed exploit by Japan’s Computer Emergency Response Team (JPCERT). The researchers, however, were uncertain if more models from the company’s catalog were affected.
The botnet earned the moniker “InfectedSlurs” due to racial epithets found in the naming conventions of its command-and-control domains. It primarily uses an older JenX Mirai variant from 2018, known for exploiting hosting services running multiplayer Grand Theft Auto versions to infect IoT devices.
The researchers plan to share more insights into the InfectedSlurs campaign once manufacturers mitigate the attacks. Meanwhile, they advise security teams to verify IoT devices, such as NVRs, ensuring they aren’t using default credentials.
Protecting Against InfectedSlurs
To protect against the InfectedSlurs threat and similar risks associated with the exploitation of zero-day vulnerabilities in routers and NVR devices, consider implementing the following recommendations:
- Change Default Credentials
- Immediately change the default administrator credentials on your routers and NVR devices. This is a critical step in preventing unauthorized access.
- Regularly Update Firmware
- Keep device firmware up to date by regularly checking for and applying manufacturer-issued updates and patches. This helps mitigate known vulnerabilities.
- Network Segmentation
- Implement network segmentation to restrict unauthorized access and contain potential threats. This can help prevent lateral movement within your network.
- Network Monitoring
- Set up robust network monitoring solutions to detect unusual or suspicious activities. Monitor for unexpected network traffic patterns and investigate any anomalies promptly.
- User Training
- Educate users and administrators about the importance of strong password practices, the risks of default credentials, and the significance of keeping devices updated.
- Disable Unused Services
- Disable any unnecessary services or features on routers and NVR devices to minimize potential attack surfaces. Only enable services that are essential for your network’s functionality.
- Access Control Policies
- Implement strict access control policies to limit access to network devices. Grant permissions based on the principle of least privilege to minimize the impact of potential breaches.
- IoT Device Inventory
- Maintain an inventory of all IoT devices connected to your network, including routers and NVRs. Regularly audit and update this inventory to track changes and identify potential vulnerabilities.
- Incident Response Plan
- Develop and regularly update an incident response plan that includes specific procedures for responding to security incidents related to routers and NVR devices. Ensure that your team is well-prepared to handle potential threats.
- Collaboration with Vendors
- Collaborate with device manufacturers and stay informed about security updates and patches. Establish a communication channel with vendors to receive timely information about vulnerabilities and mitigations.
- Periodic Security Audits
- Conduct periodic security audits to assess the overall security posture of your network. This includes vulnerability assessments and penetration testing to identify and address potential weaknesses.
- Stay Informed
- Stay informed about the latest cybersecurity threats and vulnerabilities. Subscribe to security alerts, advisories, and news from reputable sources to be aware of emerging risks.
By implementing these recommendations, organizations can enhance their security posture and reduce the risk of falling victim to threats like InfectedSlurs. Regularly reassess and update security measures to adapt to evolving threats in the cybersecurity landscape.